In short: yes, you should trust your business associates, but you must verify that they are claiming. So you should trust them, but you shouldn’t put faith in them. Whether you are a medical provider dealing with a business associates or a business associates engaging a subcontracting business associate, handing over data on the simple faith that your business associate is telling the truth and securing your patients data is not enough. If a breach occurs, or if you get audited, OCR enforcers will not take kindly to your lax attitude.
Why is this the case?
Any website or Business Associate that targets the healthcare market advertises itself as HIPAA compliant. Gold stickers and official looking celebrations of compliance are everywhere. First there an issue that there is no official accrediting agency that can put a stamp of ‘HIPAA Compliant’ on anything or anybody.
Take Omnicell – they claim to have spent “179,605 hours analyzing ways to be regulatory compliant 24 hours a day”. Which is quite a claim. In addition to that, they even signed contracts that stated that it would only store patient data on encrypted drives.
On November 14th, a laptop was stolen from an Omnicell employee. The laptop was unencrypted, which automatically constitutes a data breach. In the aftermath, 4,000 patients in the University of Michigan Health System had to be notified that their patient health information was compromised.
This example reveals: marketing statements and contracts don’t mean anything. Strong Business Associate Contracts are an important step in a relationship, but they are not enough. Your business needs more than words about compliance to avoid penalties: it needs proof.
So what do we need from our Business Associates?
In short: as much as you can get. This can sometimes be problematic for smaller healthcare providers, who sometimes don’t have much weight with their vendors. However, regardless of your size or position in the marketplace, you should try and get as much proof as possible. One way to process this: look at your own compliance process – what paperwork would you produce to auditors if they demanded proof of your compliance? Similar logic can be used to analyze how your business associates would prove their compliance to you.
For example: if a Business Associate says that their staff is trained on HIPAA – where’s the proof? Are there test sheets? Are there attendance sheets?
If you can’t prove that your Business Associate is actually implementing HIPAA controls, then you’re leaving yourself subject to a major risk.
In addition, with the new HIPAA Omnibus rule that has now taken affect, these Business Assocaites are required to comply with HIPAA. If they don’t have the documentation you’ll be asking for, there’s a serious problem there.
If you’re lost here, or need help understanding yours or your Business Associate’s obligation under HIPAA, please contact us.